---
title: Configuring two-factor authentication
---

import shared from '~/shared.js'

You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages, either by using a [security-key][webauthn] or [time-based one-time password (TOTP)][totp] from a mobile app.

## Prerequisites

Before you enable 2FA on your npm user account, you must:

- Update your npm client to version 5.5.1 or higher.
- To configure a security-key requires a modern browser that support [WebAuthn][can-i-use]. This will allow you to configure a biometric devices featuring Apple [Touch ID][touch-id], [Face ID][face-id], or [Windows Hello][windows-hello] as well as physical keys such as [Yubikey][yubikey], [Thetis][thetis], or [Feitian][feitian].
- To configure TOTP you will need to install an authenticator application that can generate OTPs such as [Authy][authy], [Google Authenticator][google-authenticator], or [Microsoft Authenticator][microsoft-authenticator] on your mobile device.

For more information on supported 2FA methods, see "[About two-factor authentication][about-two-factor-authentication]".

<Note>

**Note:** npm does not accept SMS (text-to-phone) as a 2FA method.

</Note>

## Configuring 2FA from the website

### Enabling 2FA

1. <>{shared['user-login'].text}</>

   <>{shared['user-login'].image}</>

2. <>{shared['account-settings'].text}</>

   <>{shared['account-settings'].image}</>

3. On the account settings page, under "Two-Factor Authentication", click **Enable 2FA**.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-enable.png" alt="Screenshot showing Enable 2FA button" />

4. When prompted provide your current account password and then click **Confirm password to continue**.

5. On the 2FA method page, select the method you would like to enable and click **Continue**. For more information on supported 2FA methods, see "[About two-factor authentication][about-two-factor-authentication]".

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/device-selection.png" alt="Screenshot showing 2FA types" />

6. Configure the 2FA method of your choice:
   - When using a **security-key**, provide a name for it and click **Add security key**. Follow the browser specific steps to add your security-key.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-add-security-key.png" alt="Screenshot showing security key setup" />

- Below is an example of configuration from Microsoft Edge running on a MacOS

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/touch-id-mac-edge.png" alt="Screenshot showing 2FA device selection" />

- When using an **authenticator application** on your phone, open it and scan the QR code on the two-step verification page. Enter the code generated by the app, then click **Verify**.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-verify.png" alt="Screenshot showing 2FA device selection" />

7. On the recovery code page, copy the recovery codes to your computer or other safe location that is not your second factor device. We recommend using a password manager.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/recovery-code.png" alt="Screenshot showing the Recovery Code page" />

   _Recovery codes are the only way to ensure you can recover your account if you lose access to your second factor device. Each code can be used only once. You can [view and regenerate your recovery code][viewing-and-regenerating-recovery-code] from your 2FA settings page. For secondary account recovery options, see "[Configuring account recovery options][configuring-account-recovery-options]."_

8. Click **Go back to settings** after confirming that you have saved your codes.

### Disabling 2FA for writes

Check the [Authorization and writes][authorization-and-writes] section for more information on different operations that requires 2FA when this mode is enabled.

<Note>

**Note**: As a recommended setting, 2FA for write operations are _automatically enabled_ when setting up 2FA. The following steps explain how to disable it.

</Note>

1. <>{shared['user-login'].text}</>

   <>{shared['user-login'].image}</>

2. <>{shared['account-settings'].text}</>

   <>{shared['account-settings'].image}</>

3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-modify.png" alt="Screenshot showing Modify 2FA button" />

4. From the "Manage Two-Factor Authentication" navigate to "Additional Options" section

5. Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences"

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/disable-2fa-button.png" alt="Screenshot showing a cleared check box to disable 2fa under Addition options" />

### Disabling 2FA

If you have 2FA enabled, you can remove it from your account settings page.

<Note>

**Note:** You cannot remove 2FA if you are a member of an organization that enforces 2FA. You can view the list of organizations memberships from your profile page under the "Organizations" tab.

</Note>

1. <>{shared['user-login'].text}</>

   <>{shared['user-login'].image}</>

2. <>{shared['account-settings'].text}</>

   <>{shared['account-settings'].image}</>

3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-modify.png" alt="Screenshot showing Modify 2FA button" />

4. Scroll to the bottom of the "Manage Two-Factor Authentication" page and click Disable 2FA.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-disable.png" alt="Screenshot showing Disable 2FA button" />

5. Agree to the prompt from the browser.

## Configuring 2FA from the command line

### Enabling 2FA from the command line

Although security-key with WebAuthn can be used for authentication from both the web and the command line, it can only be configured from the web. When enabling 2FA from the command line, currently the only available option is to use an TOTP mobile app.

<Note>

**Note:** Settings you configure on the command line will also apply to your profile settings on the npm website.

</Note>

1. If you are logged out on the command line, log in using `npm login` command.

2. On the command line, type the [`npm profile`](/cli/profile) command along with the option for the 2FA mode you want to enable:
   - To enable 2FA for authorization and writes, type:

     ```
     npm profile enable-2fa auth-and-writes
     ```

   - To enable 2FA for authorization only, type:

     ```
     npm profile enable-2fa auth-only
     ```

3. To add npm to your authenticator application, using the device with the app, you can either:
   - Scan the QR code displayed on the command line.
   - Type the number displayed below the QR code.

4. When prompted to add an OTP code from your authenticator, on the command line, enter a one-time password generated by your authenticator app.

### Sending a one-time password from the command line

If you have enabled 2FA auth-and-writes, you will need to send the TOTP from the command line for certain commands to work. To do this, append `--otp=123456` (where _123456_ is the code generated by your authenticator) at the end of the command. Here are a few examples:

```
npm publish [<tarball>|<folder>][--tag <tag>] --otp=123456
npm owner add <user > --otp=123456
npm owner rm <user> --otp=123456
npm dist-tags add <pkg>@<version> [<tag>] --otp=123456
npm access edit [<package>) --otp=123456
npm unpublish [<@scope>/]<pkg>[@<version>] --otp=123456
```

### Removing 2FA from the command line

1. If you are logged out on the command line, log in using `npm login` command.

2. On the command line, type the following command:

   ```
   npm profile disable-2fa
   ```

3. When prompted, enter your npm password:

   <Prompt>npm password:</Prompt>

4. When prompted for a one-time password, enter a password from your authenticator app:

   <Prompt>Enter one-time password from your authenticator: <strong>123456</strong></Prompt>

## Configuring account recovery options

When you enable 2FA on your npm user account, we strongly recommend you link your GitHub and/or Twitter accounts to your npm user account. In the event you lose access to your 2FA device and recovery codes, these linked accounts can be used to verify your identity and expedite the recovery of your npm account.

1. <>{shared['user-login'].text}</>

   <>{shared['user-login'].image}</>

2. <>{shared['account-settings'].text}</>

   <>{shared['account-settings'].image}</>

3. To [link your GitHub][advanced-github-setup] account, on the account settings page, under "Linked Accounts & Recovery Option", click **Link with GitHub**.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/link-github-account.png" alt="Screenshot showing Link GitHub account button" />

4. On the authorization page, verify all information looks correct. Then click **Authorize npm account link**.
5. To [link your Twitter][advanced-twitter-setup] account, on the account settings page, under "Linked Accounts & Recovery Option", click **Link with Twitter**.

   <Screenshot src="/getting-started/setting-up-your-npm-user-account/link-twitter-account.png" alt="Screenshot showing Link Twitter account button" />

6. On the authorization page, verify all information looks correct. Then click **Authorize app**.

The Twitter or GitHub account is now linked to your npm account. To remove the link to either account, you can click the **Remove** button next to the account you want to remove from your npm account.

## Resolving TOTP errors

If you are entering what seems to be a valid [TOTP][totp] but you see an error, be sure that you are using the correct authenticator account. If you have multiple authenticator accounts, using an TOTP from the wrong account will cause an error.

Also, when you reset two-factor authentication after it has been disabled, the authenticator might create a second account with the same name. Please see the authenticator documentation to delete the old account.

[about-two-factor-authentication]: /about-two-factor-authentication
[authorization-and-writes]: /about-two-factor-authentication#authorization-and-writes
[login]: /cli/adduser
[recovering-your-2fa-enabled-account]: /recovering-your-2fa-enabled-account
[can-i-use]: https://caniuse.com/#search=webauthn
[viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code
[totp]: https://en.wikipedia.org/wiki/Time-based_one-time_password
[authy]: https://authy.com/download/
[google-authenticator]: https://support.google.com/accounts/answer/1066447
[microsoft-authenticator]: https://www.microsoft.com/security/mobile-authenticator-app
[webauthn]: https://webauthn.guide/
[u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
[windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0
[touch-id]: https://support.apple.com/en-gb/HT204587
[face-id]: https://support.apple.com/en-us/HT208108
[yubikey]: https://www.yubico.com/
[thetis]: https://thetis.io/
[feitian]: https://www.ftsafe.com/
[configuring-account-recovery-options]: /configuring-two-factor-authentication#configuring-account-recovery-options
[advanced-github-setup]: managing-your-profile-settings#linking-your-npm-and-github-accounts
[advanced-twitter-setup]: /managing-your-profile-settings#linking-your-npm-and-twitter-accounts
